ghsa-22qq-3xwm-r5x4
Vulnerability from github
Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes
Impact
A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.
In the blocksync
protocol peers send their base
and latest
heights when they connect to a new node (A
), which is syncing to the tip of a network. base
acts as a lower ground and informs A
that the peer only has blocks starting from height base
. latest
height informs A
about the latest block in a network. Normally, nodes would only report increasing heights:
B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
If B
fails to provide the latest block, B
is removed and the latest
height (target height) is recalculated based on other nodes latest
heights.
The existing code hovewer doesn't check for the case where B
first reports latest
height X
and immediately after height Y
, where X > Y
. For example:
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
A
will be trying to catch up to 2000 indefinitely. Even if B
disconnects, the latest
height (target height) won't be recalculated because A
"doesn't know where 2000" came from per see.
Impact Qualification
This condition requires the introduction of malicious code in the full node first reporting a non-existing latest
height, then reporting lower latest
height and nodes which are syncing using blocksync
protocol.
Patches
The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.
Unreleased code in the main is patched as well.
Workarounds
When the operator notices blocksync
is stuck, they can identify the peer from which that message with "invalid" height was received. This may require increasing the logging level of the blocksync
module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.
References
If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cometbft/cometbft" }, "ranges": [ { "events": [ { "introduced": "1.0.0-alpha.1" }, { "fixed": "1.0.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cometbft/cometbft" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.38.17" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2025-24371" ], "database_specific": { "cwe_ids": [ "CWE-703" ], "github_reviewed": true, "github_reviewed_at": "2025-02-03T15:55:28Z", "nvd_published_at": "2025-02-03T22:15:28Z", "severity": "MODERATE" }, "details": "Name: ASA-2025-001: Malicious peer can disrupt node\u0027s ability to sync via blocksync\nComponent: CometBFT\nCriticality: Medium (Considerable Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: \u003c= v0.38.16, v1.0.0\nAffected users: Validators, Full nodes\n\n### Impact\n\nA malicious peer may be able to interfere with a node\u0027s ability to sync blocks with peers via the blocksync mechanism. \n\nIn the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower ground and informs `A` that the peer only has blocks starting from height `base`. `latest` height informs `A` about the latest block in a network. Normally, nodes would only report increasing heights:\n\n```\nB: {base: 100, latest: 1000}\nB: {base: 100, latest: 1001}\nB: {base: 100, latest: 1002}\n...\n```\n\nIf `B` fails to provide the latest block, `B` is removed and the `latest` height (target height) is recalculated based on other nodes `latest` heights.\n\nThe existing code hovewer doesn\u0027t check for the case where `B` first reports `latest` height `X` and immediately after height `Y`, where `X \u003e Y`. For example:\n\n```\nB: {base: 100, latest: 2000}\nB: {base: 100, latest: 1001}\nB: {base: 100, latest: 1002}\n...\n```\n\n`A` will be trying to catch up to 2000 indefinitely. Even if `B` disconnects, the `latest` height (target height) won\u0027t be recalculated because `A` \"doesn\u0027t know where 2000\" came from per see.\n\n#### Impact Qualification\n\nThis condition requires the introduction of malicious code in the full node first reporting a non-existing `latest` height, then reporting lower `latest` height and nodes which are syncing using `blocksync` protocol.\n\n### Patches\n\nThe new CometBFT releases [v1.0.1](https://github.com/cometbft/cometbft/releases/tag/v1.0.1) and [v0.38.17](https://github.com/cometbft/cometbft/releases/tag/v0.38.17) fix this issue.\n\nUnreleased code in the main is patched as well.\n\n### Workarounds\n\nWhen the operator notices `blocksync` is stuck, they can identify the peer from which that message with \"invalid\" height was received. This may require increasing the logging level of the `blocksync` module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.\n\n### References\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. \n\nA Github Security Advisory for this issue is available in the CometBFT [repository](https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4). For more information about CometBFT, see https://docs.cometbft.com/.", "id": "GHSA-22qq-3xwm-r5x4", "modified": "2025-02-05T16:32:32Z", "published": "2025-02-03T15:55:28Z", "references": [ { "type": "WEB", "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24371" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5" }, { "type": "PACKAGE", "url": "https://github.com/cometbft/cometbft" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.17" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/releases/tag/v1.0.1" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3442" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "CometBFT allows a malicious peer to make node stuck in blocksync" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.